Configuring TrueSight Infrastructure Management to enable TLS 1.2

The following sections describe the configuration steps for both the local Integration Service and remote Integration Service in TLS 1.2 mode. Perform the configuration steps based on the type of Integration Service installed:

• Step 1: To configure the local Integration Service
• Step 2: To configure the remote Integration Service
• Step 3: To start the servers

To configure the local Integration Service

1. Stop the Infrastructure Management Server by running the following command: 

   pw system stop
2. Using a text editor, open pronet.conf file located in <Infrastructure Management Server Install directory>\pw\custom\conf directory.

3. Comment out the instance of the code line having the conntype value as tcp as shown in the following code block:

   #pronet.apps.agent.conntype=tcp

4. Set the conntype value to ssltcp as shown in the following code block:

   #Configuration settings to make the Infrastructure Management Server to Local Integration Service TLS 1.2 compliant
   pronet.apps.agent.conntype=ssltcp

   Note

   Modify the file present in the pw\custom\conf directory, if it is a local Integration Service.

5. Save and close the file.

To configure the remote Integration Service

1. Stop the Infrastructure Management Server by running the following command: 

   pw system stop
2. Using a text editor, open pronet.conf file located in <Infrastructure Management Server Install directory>\pw\custom\conf directory.

3. Comment out the instance of the code line having the conntype value as tcp as shown in the following code block:

   #pronet.apps.agent.conntype=tcp

4. Set the conntype value to ssltcp as shown in the following code block:

   pronet.apps.agent.conntype=ssltcp
5. Save and close the file.

6. Logon to the computer where the remote Integration Service is installed, and stop the Integration Service (Unix) by running the following command: 

   pw is stop
7. To stop the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.
   1. Double-click the Services icon to launch the Services dialog box.
   2. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Stop. 
   3. Click Yes to close the warning message that is displayed. 
      The status for the Integration Service changes from Started to (blank).
8. Using a text editor, open pronet.conf file located in <Integration Service Install directory>\agent\custom\conf directory.

9. Add or update the conntype value to ssltcp as shown in the following code block:

   pronet.apps.agent.conntype=ssltcp

   Note

   Modify the file present in the agent\custom\conf directory, if it is a remote Integration Service.

   
   

10. Save and close the file.

To start the servers

Perform the following set of steps after the configuration changes are completed.

To edit the Integration Service's properties

1. Log in to the TrueSight console, and access Configuration > Managed Devices. Managed Devices page displays the BMC TrueSight Infrastructure Management components that are displayed in a hierarchical order as shown in the following diagram.
   
2. Click the action menu  of the Integration Service for which the TLS configurations need to be applied. When the Integration Service is in the disconnected state, the action menu displays the options: Edit, Delete, View, Connect.
3. Select the Edit option.
4. The Integration Service properties are displayed. Set the Connection to Infrastructure Management Server property to Direct access using SSL TCP/IP.
5. Click Save.

6. Start the Infrastructure Management Server by running the following command:

   pw system start

7. Start the Integration Service (Unix) by running the following command:

   pw is start
8. To start the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.
9. Double-click the Services icon to launch the Services dialog box.
10. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Restart. 

11. Click Yes to close the warning message that is displayed. 
    The status for the Integration Service changes to Started from (blank).

    Note

    The Integration Service restart is applicable only to the remote Integration Service. The local Integration Service is restarted automatically along with the Infrastructure Management Server.

The following section guides you to configure the Integration Service to Cell communication in TLS 1.2. Choose the appropriate configuration steps based on the type (local / remote) of the Integration Service and the cell used.

• Step 1: To configure the local Integration Service
• Step 2: To configure the remote Integration Service
• Step 3: To configure the local Cell
• Step 4: To configure the remote Cell
• Step 5: To start the servers

To configure the local Integration Service

To configure the remote Integration Service

To configure the local Cell

To configure the remote Cell

To start the servers

Perform the following steps to configure the Infrastructure Management Server to Oracle database communication to enable TLS 1.2 mode:

To configure the Infrastructure Management Server to Oracle database communication to enable TLS 1.2

Perform the following steps to enable the Infrastructure Management Server to Oracle database communication in TLS mode:

1. Stop the Infrastructure Management Server by running the following command:

   pw system stop
2. Go to the <Infrastructure Management Server Install Directory>\pw\pronto\conf directory, and add COMDefine oracle.jdbc.autoCommitSpecCompliant=false in the pnagentcntl.conf file.
   
   
   

3. Go to the <Infrastructure Management Server Install Directory>\pw\pronto\bin directory, and run the switchTLSMode.pl script as shown in the following code block:

   #Syntax
   perl switchTLSMode.pl -<on/off> -flow <communication channel> -dbport <Oracle Database port> -dbver <Oracle Database version>
   
   #Example
   perl switchTLSMode.pl -on -flow oracle -dbport 2484 -dbver 19C
   

   Parameter description

   The following notes describe the key parameters used in the preceding command:
   

   • -on/off: on option enables TLS mode of communication. off option disables TLS mode of communication and enables the default tcp/ssl mode of communication.
   • -flow: This variable can have two options: event_and_data, and oracle. If flow is set to oracle, the communication between the Infrastructure Management Server and the Oracle database is TLS 1.2 enabled.
   • -dbport: Specify the port number that is configured for the Oracle database communication.
   • -dbver: Specify the Oracle database version. There are two compatible Oracle database versions: 12C, 19C

4. Open the pronet.conf file in the <Infrastructure Management Server Install directory>\pw\custom\conf directory, and verify that the configuration parameters are set as shown in the following code block:

   pronet.api.database.portnum=2484
   #Configuration settings to make TLS compliant
   pronet.api.database.conntype=ssl
5. Verify that the latest oracle JDBC driver ojdbc8.jar is copied in the <Infrastructure Management Server Install directory>\pw\apps3rdparty\jdbc directory. 

6. Run the following command to verify if the Infrastructure Management server is able to establish a connection with Oracle database in TLS mode:

   #Microsoft Windows
   <Infrastructure Management Server Install directory>\pw\pronto\bin\runjava api.database.DbUpCheck
   
   #Linux
   <Infrastructure Management Server Install directory>/pw/pronto/bin/runjava api.database.DbUpCheck
   
   
   #Example output
   INFO 06/08 21:14:34 Library 600002 Setting SSL properties for Oracle database connection
   success

7. Start the Infrastructure Management Server by running the following command:

   pw system start

8. Run the following command to verify if the Infrastructure Management server is able to establish a connection with Oracle database:

   pw p l
   
   #Example Output
   BMC TrueSight Infrastructure Management Command Line Interface 2020 version 11.3.04
   
   Copyright
   1997-2020 BMC Software, Inc. as an unpublished work.  All rights reserved.
   
   Servers/Daemon Processes      
   ------------------------         
   services   15788             
   httpd    9024           
   jserver    9812      
   pronet_agent   12860       
   pronet_cntl   13364       
   tunnelproxy   14352              
   rate   10292
   Oracle  
   Running  on test-bmc-setup:2484             
   mcell    1788

   After restarting, the Infrastructure Management server status must be displayed as connected in the associated Presentation Server.

By default, the PATROL Agent communicates using either Transmission Control Protocol (TCP) or Secure Sockets Layer (SSL) protocol, but you can configure PATROL Agents to enable TLS 1.2 mode. 

The following process workflow guides you to configure the PATROL Agent to Integration Service communication to be TLS compliant:

1. Ensure that the signed certificates are generated for the Integration Service and imported into the PATROL Agent's client DB certificate store. 
   To generate signed certificates for the Integration Service, see Implementing-private-certificates-in-the-Integration-Service.
   
   
2. Ensure that the PATROL Agent and the TrueSight Integration Service are running at the same security level.

   • To change the PATROL Agent's security level, see Changing the PATROL Agent's security level.

   • To change the Integration Service's security level, see Changing the Integration Service's security level.
3. Configure the PATROL Agent to Integration Service communication to enable TLS mode.
   • Run the set_unset_tls command in the PATROL Agent
   • Run the set_unset_tls_is command in the Integration Service
     For details, see Configuring-the-PATROL-Agent-to-Integration-Service-communication-to-enable-TLS-1-2.
     
     

4. Update the PATROL Agent's registry files. 
   For details, see Updating the PATROL Agent registry files. 

5. Update the Integration Service's registry files. 
   For details, see Updating the Integration Service registry files.

By default, the PATROL Agent communicates with Integration Service in TLS 1.2 mode.

The following workflow guides you to upgrade the PATROL Agent to 22.3.01, which enables the communication between PATROL Agent and Integration Service to be TLS compliant by default.

1. Ensure that the Integration Service is configured in TLS mode and is at security level 2. Please refer page TLS
   By default the PATROL Agent and Integration Service uses the BMC Self Signed certificates shipped during the installation process.
   Location of default certificates on PATROL Agent:
   Windows -

   %{/BMC/INSTBASE}\common\security\config_v3.0\demo_certs\nss\demo_client`

   %{/BMC/INSTBASE}\common\security\config_v3.0\demo_certs\nss\demo_server

   Unix –

   %{/BMC/INSTBASE}/common/security/config_v3.0/demo_certs/nss/demo_client

   %{/BMC/INSTBASE}/security/config_v3.0/demo_certs/nss/demo_server

   Integration Service –  

   Windows -

   %{/BMC/INSTBASE}\TrueSight\pw\patrol\common\security\config_v3.0\demo_certs\nss\demo_client

   %{/BMC/INSTBASE}\TrueSight\pw\patrol\common\security\config_v3.0\demo_certs\nss\demo_server

   Unix –

   %{/BMC/INSTBASE}/TrueSight/pw/patrol/common/security/config_v3.0/demo_certs/nss/demo_client

   %{/BMC/INSTBASE}/TrueSight/pw/patrol/common/security/config_v3.0/demo_certs/nss/demo_server

2. In case user want to implement private certificates ensure that the signed certificates are generated for the Integration Service and imported into the PATROL Agent's client DB certificate store. 
   To generate signed certificates for the Integration Service, see Implementing private certificates in the Integration Service.
3. By default PATROL Agent uses “No Certificate Validation” option for the communication. If customer wants to implement “Certificate validation” option post installation they can execute following commands.

Windows -

1. 
   
   1. Stop PATROL Agent
   2. cd under  “%{/BMC/INSTBASE}\common\security\config_v3.0”
   3. set_unset_tls.cmd “%{/BMC/INSTBASE}” UNSET_TLS 2
   4. set_unset_tls.cmd “%{/BMC/INSTBASE}” SET_TLS 2 -serverDbPath %{/BMC/INSTBASE}\common\security\config_v3.0\demo_certs\nss\demo_server -clientDbPath %{/BMC/INSTBASE}\common\security\config_v3.0\demo_certs\nss\demo_client -identity "PatrolServer - BMC"
   5. Restart the PATROL Agent

Unix –

1. 
   
   1. Stop PATROL Agent
   2. cd under  “%{/BMC/INSTBASE}/common/security/config_v3.0”
   3. set_unset_tls.sh “%{/BMC/INSTBASE}” UNSET_TLS 2
   4. set_unset_tls.sh “%{/BMC/INSTBASE}” SET_TLS 2 -serverDbPath %{/BMC/INSTBASE}/common/security/config_v3.0/demo_certs/nss/demo_server -clientDbPath %{/BMC/INSTBASE}/common/security/config_v3.0/demo_certs/nss/demo_client -identity "PatrolServer - BMC"
   5. Restart the PATROL Agent

Perform the following steps to enable the Infrastructure Management Server to BMC Impact Integration Web Services (IIWS) communication to be TLS compliant:

• Step 1:  To configure the Infrastructure Management Server
• Step 2: To configure the BMC Impact Integration Web Services server
• Step 3:  To start the servers

To configure the Infrastructure Management Server

To configure the BMC Impact Integration Web Services server

To start the servers

Perform the following steps to enable the Infrastructure Management server main cell to Reporting engine communication to be TLS compliant:

• Step 1:To configure the Infrastructure Management server cell component
• Step 2:To configure the Reporting Engine component

To configure the Infrastructure Management server cell component

1. Using a text editor, open the mcell.dir file on the BMC TrueSight Infrastructure Management Server host computer. The file is located in the <Infrastructure Management server Install Directory>\pw\server\etc directory.

2. Check for the instance of the code line having encryption key value as shown in the following code block:

   gateway.reportengine bpre.<fullyQualifiedHostName> <encryptionKey> <fullyQualifiedHostName>:<3783>

   #Example

   gateway.reportengine bpre.vs-pun-tsim-bp03.bmc.com mc vs-pun-tsim-bp03.bmc.com:3783

3. Modify the existing value of encryption key to *TLS as shown in the following example:

   gateway.reportengine bpre.vs-pun-tsim-bp03.bmc.com *TLS vs-pun-tsim-bp03.bmc.com:3783
4. Save and close the file.

5. Reload the mcell.dir file by entering the following command from a command line:

   #Syntax

   mcontrol -n cellName reload dir

   #Example

   mcontrol -n pncell_vm-w23-rds1016 reload dir

   Note

   pncell_vm-w23-rds1016 is the name of the cell.

   
   

To configure the Report Engine component

1. Navigate to the reportsCLI directory by running the following command:

   # Microsoft Windows operating system

   CurrentDirectory>cd <TrueSight Operations Management Reporting Install directory>\bin\reportsCLI

   # Unix operating system

   $cd <TrueSight Operations Management Reporting Install directory>/bin/reportsCLI

2. Initiate the configuration settings by running the following command:

   #Syntax

   tls_config init -truststore <truststore file> -truststorepassword <truststore password> [-keystore <keystore file> -keystorepassword <keystore password>][-SqlAnywhereCert <trust certificate path>]

   #Example

   tls_config init -truststore cacerts -truststorepassword <truststore password> -keystore cacerts -keystorepassword <keystore password> -SqlAnywhereCert <BMC TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\bin

   When you run the tls_config script, you are prompted to confirm the restart of the Reporting Engine. The TLS configurations are applied only when the Reporting Engine restarts.

   Parameter description

    The following notes describe the key parameters used in the preceding command:

   • cacerts: Name of the keystore and truststore file of the Report Engine.
   • <truststore password>: Password for the keystore/truststore. changeit is the default password for the cacerts keystore. If you have changed this password, use the current password.
   • <BMC TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\bin: The directory path where the cacerts truststore file is located.

3. Enable the TLS configuration by running the following command:

   tls_config enable -component cell

 Perform the following steps to configure the Infrastructure Management server to Publishing Server communication to enable TLS 1.2 mode:

To configure the Infrastructure Management server

1. Stop the Infrastructure Management Server by running the following command:

   pw system stop
2. Using a text editor, open the pronet.conf located in the <Infrastructure Management Server Install Directory>\pw\custom\conf directory.
3. Add the following properties in pronet.conf as shown in the following code block:

   pronet.jms.passwd.file=pronto/conf/.ks_pass
   pronet.apps.ipc.ssl.context.pserver.truststore.filename=messagebroker.ts
   pronet.apps.ipc.ssl.context.pserver.keystore.filename=pnserver.ks
   pronet.apps.ipc.ssl.context.pserver.enabledsuites=TLS_RSA_WITH_AES_128_CBC_SHA256
   pronet.apps.ipc.ssl.context.pserver.keystore.passwdfile=pronto/conf/.ks_pass
4. Using a text editor, open the mcell.dir located in the <Infrastructure Management Server Install Directory>\pw\server\etc directory.
5. Comment out any existing instances of the code lines having encryption key value as mc as shown in the following code block:

   #Type                            <name>             encryption key                <host>/<port>
   #cell                      pncell_hostname         mc                pncell_hostname.bmc.com:1828
   #gateway.imcomm              gw_ps_pncell_hostname       mc                    hostname.bmc.com:1839
6. Add the code lines to set the encryption key value to *TLS as shown in the following code block:

    #Type                            <name>             encryption key               <host>/<port>
    cell                      pncell_hostname        *TLS            pncell_hostname.bmc.com:1828
   gateway.imcomm              gw_ps_pncell_hostname       *TLS                    hostname.bmc.com:1839
7. Save and close the file.
8. Using a text editor, open the smmgr.conf located in the <Infrastructure Management Server Install Directory>\pw\server\etc directory.
9. Comment out any existing instance of the code line having ServerTransportProtocol value as tcp as shown in the following code block:

   #ServerTransportProtocol=tcp
10. Add the code lines to set the ServerTransportProtocol value to tls, and server certificate file name and key values as shown in the following code block:

    ServerTransportProtocol=tls
    ServerCertificateFileName=mcell.crt
    ServerPrivateKeyFileName=mcell.key

    Notemcell.crt and mcell.key are the names of the cell key and the certificate. If the cell certificate and key names in your Infrastructure Management server are different then use the relevant names in the preceding settings. For more information about how to create cell key and certificate, see Implementing-private-certificates-in-the-TrueSight-Infrastructure-Management.
11. Save and close the file.
12. Start the Infrastructure Management Server by running the following command:

    pw system start